QR codes have been used to encode access credentials (e.g., payment credentials such as a primary account number) to access a resource (e.g., goods or services at a merchant, access to an airplane, etc.). In some cases, a QR code may be displayed on a user's phone well in advance of the time that the user may actually use the QR code. When the QR code is displayed in this manner, there is a chance that the QR code may be stolen by a third party and possibly used. For example, a user may intend to use a QR code that is displayed on the user's phone and that encodes a payment account number to pay for an item. The user may stand in line waiting for his turn to pay at the merchant's POS terminal. Well prior to arriving at the POS terminal, the user may have caused the mobile phone to generate the QR code. While standing in line, the user may be holding the mobile phone in a position (e.g., with the display facing outward from the user) that can allow an unauthorized person to take a picture of the QR code. Once the unauthorized person takes the picture of the QR code, it is possible for the user to use the QR code to make purchases with it. More secure ways of generating and using QR codes, or other scannable images, are therefore needed.
Embodiments of the invention address this and other problems, individually and collectively.